Posts Tagged Weltimmo

Choices, choices. I will continue to follow the GDPR for jurisdictional purposes, including territorial scope. (And I have a paper coming up on conflict of laws issues in the private enforcement of same). But for much of the GDPR enforcement debate, I am handing over to others. Johannes Marosi, for instance, who reviews the CJEU judgment this week in Fansites, over at Verfassungsblog. I reviewed the AG’s Opinion here.

Judgment in Grand Chamber but with small room for cheering.

As Johannes’ post explains, there are many loose ends in the judgment, and little reference to the GDPR (technically correct but from a compliance point of view wanting). (As an aside: have a look at Merlin Gömann’s paper, in CMLREv, on the territorial scope of the GDPR).

Apologies for late reporting. Bot AG opined end of October in C‑210/16 Fansites.[The official name of the case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht. It’s obvious why one prefers calling it Fansites].

The Advocate-General summarises (para 2-3) the case as involving ‘proceedings between the Wirtschaftsakademie Schleswig-Holstein GmbH, a company governed by private law and specialising in the field of education (‘the Wirtschaftsakademie’), and the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’) concerning the lawfulness of an order issued by the latter against the Wirtschaftsakademie requiring it to deactivate a ‘fan page’ hosted on the website of Facebook Ireland Ltd. The reason for that order was the alleged infringement of the provisions of German law transposing Directive 95/46. Specifically, visitors to the fan page were not warned that their personal data are collected by the social network Facebook (‘Facebook’) by means of cookies that are placed on the visitor’s hard disk, the purpose of that data collection being to compile viewing statistics for the administrator of the fan page and to enable Facebook to publish targeted advertisements.’

The case ought to clarify the extent of the powers of intervention of supervisory authorities such as ULD with regard to the processing of personal data which involves the participation of several parties (at 13). I had flagged earlier that this case is relevant to the jurisdictional and applicable law issues involving datr cookies.

Whatever the outcome of the case, its precedent value will be limited by the imminent entry into force of the new General Data Protection Regulation – GDPR. The GDPR clearly introduces a ‘one-stop principle’ with only one lead authority (in FB’s case, Ireland’s data protection agency) having the authority to act (see also the AG’s observation of same in para 103).

As prof Lorna Woods in excellent analysis observes, the issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’. Dan Svantesson has most superb analysis of Article 4(1)(a) here, anyone interested in the issue will find his insight most helpful.

Now, the Advocate-General leans heavily on Weltimmo however I would suggest its precedent value for the Fanpages case is constrained. Weltimmo concerned a company set up in Slovakia but with no relevant activities at all in that Member State. Indeed as the Court itself observed (at 16-18) , the company was effectively male fide (my words, not the CJEU’s) moving its servers and creating fog as to its exact whereabouts. In other words a case of blatant abuse. There is no suggestion of abuse in Fanpages. Moreover according to the CJEU in C-230/14 Weltimmo the phrase ‘in the context of the activities of an establishment’ cannot be interpreted restrictively (AG’s reference in para 87), yet that CJEU holding in Weltimmo cross-refers to Google Spain in which the crucial issue was whether EU data protection laws apply at all. That is very different in Weltimmo and in Fanpages. That EU authorities have jurisdiction and that EU privacy law applies is not at issue.

There is sufficient argument to find in the Directive, even before its transformation into the GDPR, that in cases such as these the same processing operation ought to be governed by the laws of just one Member State. It would be good for the CJEU to recognise that even before the entry into force of the GDPR.

A lot of attention last week went to the CJEU’s annulment of the EC’s ‘Safe Harbour’ decision in Schrems v Facebook(aka Austrian student takes on internet giant). I will not detail that finding for I assume, for once, that readers will be au fait with that judgment. For those who are not: please refer to Steve Peers for excellent analysis as per usual. It is noteworthy though that the CJEU’s finding in Schrems is based in the main on a finding of ultra vires: often easily remedied, as those with a background in public law will know.

Schrems (held 6 October) confirmed the Court’s approach to the EU’s prescriptive jurisdiction in data protection laws, as in Google Spain. However the Thursday before, on 1 October, the Court took a more restrictive view on ‘executive’ or ‘enforcement’ jurisdiction in Case C-230/14 Weltimmo. Lorna Woods has the general context and findings over at EU Law analysis. The essence in my view is that the Court insists on internal limitations to enforcement. It discussed the scope of national supervisory authority’s power in the context of Directive 95/4, the same directive which was at issue in Google Spain. The Court held

Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

In other words, the supervisory authority in a Member State can examine the complaints it receives even if the law that applies to the data processing is the law of another Member State. However the scope of its sanctioning power is limited by its national borders.

This finding (I appreciate there are caveats) has important implications for the discussion on the territorial reach of the so-called ‘righ to be forgotten’. It supports in my view, the argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain. I have a paper forthcoming which discusses the various jurisdictional issues at stake here and the impact of Weltimmo on same.